Re-enrollment Outcomes Based on Policy and Source

Scenario	Original Cert Source	Expected Behavior
Upload CSR Failure	Upload CSR (with the default re-enrollment template)	The re-enrollment process is halted and the system throws the following error message: [On manual re-enroll] Re-Enrollment failed: The original certificate was created via manual CSR upload, which is not supported by the Default Re-Enrollment Template. Please use a CA-specific template or update the CA Connector configuration to a supported generation source (AppViewX, Endpoint, or HSM). [On auto re-enroll] Unsupported source - 'uploadCSR with the Default Re-Enrollment Template
Unsupported Feature	Use Existing Private Key (with the default re-enrollment template)	System prevents the re-enrollment action and logs an Unsupported Source error, displaying the following error message: [On manual re-enroll]: Re-Enrollment failed: The Default Re-Enrollment Template does not support the 'Use Existing Private Key' option. Please use a CA-specific template or update the CA Connector configuration to a supported generation source (AppViewX, Endpoint, or HSM). [On auto re-enroll]: Unsupported source - 'Use existing Private Key' with the Default Re-Enrollment Template
CSR Reuse Integrity	Use Existing CSR	The user interface will display the fields (for example, CN, SAN) being updated by the policy. In the backend, the the original CSR content is reused for certificate re-enrollment. Outcome: Success [The issued certificate matches the original CSR exactly.]
Inherited Success	AppViewX / HSM	Re-enrollment completes successfully using the original source stored in the certificate metadata.
CA-Specific Logic	Any Source	If a CA-Specific Template is matched, these limitations disappear; the UI shows the configured source and the re-enrollment proceeds per that configuration.

Upload CSR Failure

Upload CSR (with the default re-enrollment template)

The re-enrollment process is halted and the system throws the following error message:

[On manual re-enroll] Re-Enrollment failed: The original certificate was created via manual CSR upload, which is not supported by the Default Re-Enrollment Template. Please use a CA-specific template or update the CA Connector configuration to a supported generation source (AppViewX, Endpoint, or HSM).

[On auto re-enroll] Unsupported source - 'uploadCSR with the Default Re-Enrollment Template

Unsupported Feature

Use Existing Private Key (with the default re-enrollment template)

System prevents the re-enrollment action and logs an Unsupported Source error, displaying the following error message:

[On manual re-enroll]: Re-Enrollment failed: The Default Re-Enrollment Template does not support the 'Use Existing Private Key' option. Please use a CA-specific template or update the CA Connector configuration to a supported generation source (AppViewX, Endpoint, or HSM).

[On auto re-enroll]: Unsupported source - 'Use existing Private Key' with the Default Re-Enrollment Template

CSR Reuse Integrity

Use Existing CSR

The user interface will display the fields (for example, CN, SAN) being updated by the policy.

In the backend, the the original CSR content is reused for certificate re-enrollment.

Outcome: Success [The issued certificate matches the original CSR exactly.]

Inherited Success

AppViewX / HSM

Re-enrollment completes successfully using the original source stored in the certificate metadata.

CA-Specific Logic

Any Source

If a CA-Specific Template is matched, these limitations disappear; the UI shows the configured source and the re-enrollment proceeds per that configuration.